Sequential synthesis using S1S

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 19, NO. 10, OCTOBER 2000 1149

Sequential Synthesis Using S1SAdnan Aziz, Felice Balarin, Member, IEEE, Robert K. Brayton, Fellow, IEEE, and

Alberto Sangiovanni-Vincentelli, Fellow, IEEE

Abstract—We propose the use of the logic S1S as a mathemat-ical framework for studying the synthesis of sequential designs. Wewill show that this leads to simple and mathematically elegant solu-tions to problems arising in the synthesis and optimization of syn-chronous digital hardware. Specifically, we derive a logical expres-sion which yields a single finite state automaton characterizing theset of implementations that can replace a component of a largerdesign. The power of our approach is demonstrated by the factthat it generalizes immediately to arbitrary interconnection topolo-gies, and to designs containing nondeterminism and fairness. Wealso describe control aspects of sequential synthesis and relate con-troller realizability to classical work on program synthesis and treeautomata.

Index Terms—Automata theory, discrete control, mathematicallogic, sequential logic synthesis.

I. INTRODUCTION

T HE advent of modern VLSI CAD tools has radicallychanged the process of designing digital systems. The

first CAD tools automated the final stages of design, such asplacement and routing. As the low level steps became betterunderstood, the focus shifted to the higher stages. In particularlogic synthesis, the science of optimizing gate level designsfor measures such as area, speed, or power, has shifted to theforefront of CAD research.

Logic synthesis algorithms originally targeted the optimiza-tion of two-level logic; this was followed by research in synthe-sizing more general multilevel logic. Currently, a major thrust inlogic synthesis is sequential synthesis, i.e., the automatic opti-mization of the entire system. This is for designs specified at thestructural level in the form of netlists, or at the behavioral level,i.e., in the form of finite state machines (FSMs). De Micheli [21]gives an excellent introduction to logic synthesis.

Designs invariably consist of a set of interacting components.The environment of a particular component gives rise to a cer-tain amount of flexibility when implementing it; this flexibilitycan be exploited by optimization tools. For example, a datalinkcontroller interacting with a bus operating in single processor

Manuscript received November 6, 1999; revised March 17, 2000. This workwas supported in part by grants from the Semiconductor Research Corporationand the National Science Foundation. This paper was recommended by Asso-ciate Editor M. Papaefthymiou.

A. Aziz is with the Department of Electrical and Computer Engi-neering, University of Texas at Austin, Austin, TX 78712 USA (e-mail:[email protected]).

F. Balarin is with the Cadence Berkeley Laboratories, Berkeley, CA 94704USA.

R. K. Brayton and A. Sangiovanni-Vincentelli are with the Department ofElectrical Engineering and Computer Sciences, University of California atBerkeley, Berkeley, CA 94720 USA.

Publisher Item Identifier S 0278-0070(00)09144-2.

mode may never see requests on consecutive cycles. This mayhelp simplify the logical circuitry associated with the datalinkcontroller.

Typically, the synthesis process has two stages: First, the setof all possible implementations is characterized using some fi-nite structure (which is the topic of this paper); consequently,one is chosen according to some optimality criteria (e.g., min-imum state [15]). For combinational designs, the problem ofdetermining and using the flexibility afforded by “don’t care”conditions is well solved both in theory and practice [28].

We propose the use of the logic S1S as a mathematical frame-work for studying the synthesis of sequential designs. We willshow that this leads to simple and mathematically elegant so-lutions to problems arising in the synthesis and optimization ofsynchronous digital hardware. Specifically, we derive a logicalexpression which yields a single finite state automaton charac-terizing the set of implementations that can replace a particularcomponent which is part of a larger design. The power of ourapproach is seen by the fact that it can be applied to designscontaining nondeterminism and fairness [8], [18], and also toarbitrary interconnection topologies.

Optimization of compositional designs may result in com-binational cycles, i.e., loops consisting solely of gates. Eventhough such loops can sometimes be used to optimize circuits, itis considered good design practice to avoid them, because cycliccircuits are difficult to analyze, and can have undesired oscilla-tory behaviors [3], [19], [29]. Guided by design practice, weidentify flexibility available for synthesis while ensuring thatcycles of logic will not be introduced by optimization.

The term “synthesis” is used in the theoretical computer sci-ence community to describe the process of taking a logical spec-ification, and checking if there exists a model which satisfies it.The model depends on the context; for example, it could be aTuring machine program [20], a finite state transducer [23], ora dataflow graph [1]. The issues involved in this discipline in-clude decidability, complexity, and expressiveness of the spec-ification language. In this paper we will be mostly concernedwith the optimization problem; we will make a connection toprogram synthesis.

Previous work in the VLSI design automation community re-lated to optimizing interacting sequential designs has tended tobe ad hoc, incomplete, and, sometimes, simply incorrect. Theconstructions and proofs offered are often extremely cumber-some. This is witnessed by a number of previous papers [10],[26], [5], [17], [33]–[35].

Similar problems have been considered in the control com-munity under the label “model matching” [6], in the discreteevent system (DES) community under the label “supervisorycontrol” [37] [25], and in concurrency theory they appear as

0278–0070/00$10.00 © 2000 IEEE

1150 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 19, NO. 10, OCTOBER 2000

“scheduler synthesis” [36] and “equation solving” [22]. Com-pared to model matching approaches [6] we limit somewhat thechoice of possible controllers. The limitation is not serious inhardware context, because it rules out only those circuits thatresult in a loop of combinational gates when composed (as pre-viously remarked, avoiding combinational loops is consideredgood design practice). On the positive side, we allow more gen-eral specifications and provide a uniform methodology that isapplicable to various model matching problems. This generalframework also strictly subsumes the problem considered in[35]. Compared to supervisory control of DES [25], our ap-proach offers the advantage of being compatible with FSM tech-niques that have seen continuous developments in the past threedecades (e.g., [16] and [35]), provides more natural model ofreactive system, and allows significantly simpler developmentof results.

We have chosen input-output language containment as a cor-rectness criterion because it allows loose specifications, wherea range of behaviors may be acceptable. Here, we differ frommost of the previous approaches in the process algebra settings,where a much stronger relation, typically some form of bisim-ulation equivalence is used [22]. The exception is [14] whichoffers a general framework where the satisfaction relation is notset a priori, but can be defined by a formula in a logic that canexpress, among other relations, both simulation and bisimula-tion. However, the procedure presented in [14] generates onlya single solution. We believe that it is advantageous to separatethe solution process in two stages: first, all the possible solutionsare characterized, and then one is chosen according to some op-timality criteria.

The rest of this paper is structured as follows: in Section IIwe give definitions, in particular those connected to hardware,design composition, and fairness. In Section III, we review S1Slogic and finite state automata, and use these notions to assignsemantics to hardware. In Section IV, we use S1S to logicallycharacterize the flexibility that can be used to optimize compo-nents in hierarchical designs. The relationship to the more clas-sical view of program synthesis in the form of Church’s problem[24], automata on trees, and fairness is described in Section V.We summarize our contributions in Section VI and suggest anumber of ways of extending our results.

II. FORMAL MODELS FORHARDWARE

In order to be able to formally reason about hardware, weneed to develop mathematical models for digital systems. Inthis section, we develop two formalisms for expressing designs,namely FSMs and netlists. FSMs are more abstract—they cor-respond to the behavioral specification as given by the designer.Netlists are “structural”—they are closer to the actual imple-mentation.

A. Sequences

A finite sequenceon a set is a function whose range isand domain is a prefix of the set of natural numbers,

. An infinite sequence(which we will interchange-ably refer to as an -sequence) on is a function mapping to

. We will denote the finite sequenceby ;

an infinite sequence will be written as . Given asequence (finite or infinite), we will denote by the th el-ement in the sequence, i.e., . The elements of the range thatoccur infinitely often in an infinite sequencewill be denotedby inf . Thelengthof a finite sequence is the cardinalityof its domain, and will be denoted by.

Given any sequence (finite or infinite) and naturalnumber , the th prefix of is the finite sequence

; it will be denoted by .The set of all finite sequences over a setis denoted by ;

the set of all infinite sequences overwill be denoted by .Subsets of will be referred to as -languages; subsets ofwill be referred to as -languages.

B. FSMs

FSMs provide a natural way of describing systems in whichthe output depends not only on the current input, but also on pastvalues of the input, while possessing only a bounded amount ofmemory. FSMs are described in [13, p. 42]; below we developenough theory to suffice for this paper.

Definition 1: An FSM is a six-tuple whereis a finite set referred to as thestates, is the initial

state, and are finite sets referred to as the set ofinputsandoutputsrespectively, is thenext-state function,and is theoutput function.

The next-state function can be inductively extended to yieldthe function

when

otherwise

An FSM can be represented graphically by a directed finitegraph, referred to as astate transition graph, where the ver-tices correspond to states. The edges are labeled with input-output value pairs—the input value enables the transition, andthe output value is produced. The destination node of the edgerepresents the next state for that input value. This is illustratedin Fig. 1(b).

Given a state and sequence of inputs , wewill refer to the sequence of states as being therun (sometimes referred to as thepath) starting at on inputiff for all , we have . The output sequence

correspondsto iff for all , we have.

C. Netlists

A netlist is a representation of a design at thestructural levelwhich is closer to the actual implementation of the design thanFSMs, which can be viewed as behavioral level descriptions ofthe design.

Definition 2: A netlist is a directed graph, where the nodescorrespond to elementary circuit elements, and the edges corre-spond to wires connecting these elements. Each node is labeledwith a distinct variable . The three primitive circuit elementsareprimary inputs, latches, andgates. Primary input nodes haveno fanins; latches have a single input. Each latch has a desig-nated initial value. Associated with each gateis a Boolean

AZIZ et al.: SEQUENTIAL SYNTHESIS USING S1S 1151

Fig. 1. Fig. 1 (a) A netlist and (b) its corresponding FSM.

Fig. 2. Composing netlists.

function of its fanins’ variables. A subset of the set of nodes isdesignated as being set ofprimary outputs.

For the reasons given in Section I, we require that every cyclein a netlist to include at least one latch (i.e., there are no combi-national cycles).

Fig. 1(a) provides a graphical depiction of a netlist. The nodeis a primary input; nodes and are latches, and nodes

and are gates. The nodeis designated a primary output. Inthis example, the node is driven solely by latches (i.e., thereis no path from an input node to which does not pass througha latch), while the node is driven by both primary inputs andlatches.

Given a set of assignments to each primary input node and astate, one can uniquely compute the values of each node in thenetlist by evaluating the functions at gates. In this way, a netlist

on inputs , outputs and latchesbears a natural correspondence to an FSMon

inputs , outputs , and state-space, with an initial state given by the initial values for

latches. An example of this correspondence is given in Fig. 1.

D. Netlist Composition

Composition of two netlists consists of placing the twonetlists next to each other and connecting the nodes for primaryinputs and primary outputs which are specified by the composi-tion. The primary inputs of the composed nelist are the primaryinputs of the original netlists which remain unconnected. Asubset of the primary outputs of the original netlists is desig-nated as being the primary outputs of the composed netlist; theremainder are said to behidden

This is illustrated in Fig. 2, where the inputs and are“tied” to and respectively; is designated an output inthe composed design. As stated in the introduction, our notion ofcomposition is synchronous, i.e., all the latches are assumed tobe driven by a single clock and, hence, change state in lockstep.

Fig. 3. A four-state abstraction of a processor.

We will only consider netlist composition when it does not resultin combinational cycles.

A Moore netlist is a netlist where there is no path from aninput to an output which does not pass through a latch; it has theproperty that no combinational cycles can result on composingit with any netlist. The FSM derived from such a netlist has theproperty that the output is purely a function of the state; suchFSMs are referred to as Moore machines.

E. Fairness

There are situations when a design cannot be captured using aFSM by itself. Consider, for example, what happens when a pro-cessor is abstracted to a four state machine which cycles throughidle, request, lock, andreleasestates, with the transition out oflock being nondeterministic, as in Fig. 3. In order to model theprocessor accurately, it may be desirable to specify the condi-tion that it does not remain in the statelock forever. This cannotbe modeled using an FSM; afairnessconstraint must be speci-fied as part of the design.

In this paper, we will take a very simple approach to fairness;we will restrict our attention toBüchifairness. A Büchi fairnesscondition is a subset of the state-space of the FSM.

Definition 3: An infinite path satisfies a Büchi fairnesscondition iff inf has a nonempty intersection with.


Fig. 4. Examples of finite state automata.

The path is fair relative to a set of Büchi fairness conditions(collectively referred to as aBüchi fair-

ness constraint), iff it is fair with respect to each fairness con-dition.

Fairness constraints on components of a design can be ex-tended to fairness on the composed design: a path in the designis fair exactly when it is fair with respect to each component.

III. FINITE STATE AUTOMATA AND S1S

We start this section by defining finite state automata. Wewill then develop S1S which is the logical system concernedwith “second order” properties of the natural numbers with thesuccessor operation. We present a classical theorem of Büchiwhich shows a surprising relationship between finite state au-tomata and S1S. Thomas [31] provides an excellent survey ofthe material covered in this section.

A. Finite State Automata

Definition 4: A finite state automaton is a four-tuplewhere is a finite set called thealphabetwhose

elements are referred to assymbols, is a finite set referred toas thestates, is the initial state, andis the transition relation. The relation is required to becompletely specified, that is for every and , there is somesuch that .

A run corresponding to a finite input sequence is asequence starting at such that for every , it isthe case that ; the notion of a run extendsnaturally to the case whenis an -sequence.

One can represent a finite state automaton using a graph, asshown in Fig. 4. Vertices correspond to states, the edge islabeled with all symbols such that is an element of thetransition relation.

It is useful to classify finite state automata as beingdetermin-istic andnondeterministic. An automaton is deterministic if forall states and for all inputs there is exactly one statesuchthat ; otherwise it is nondeterministic. The automata

and in Fig. 4 are deterministic; is nondeterministic.Note that nondeterminism may lead to multiple runs starting atthe initial state for a particular input word.

Now we describe how a finite state automaton, together withan “acceptance conditions” can be used to specify languages.This will be done for both -languages and-languages.

1) -automata:Definition 5: A -automaton is a tuple , where

is a finite state automaton, and is theset ofaccepting states.

The -language accepted by the-automaton is the set ofall sequences in such that there is a corresponding runstarting at for which , i.e., the last state in is anaccepting state.

As an example, for the-automaton ,where is as given in Fig. 4, the-language accepted byis the set of all sequences in which a (0,0) never appears at anypoint after (1,1).

2) Properties of -automata: It is easy to test whether thelanguage accepted by a-automaton is nonempty—use depthfirst search to see if there is an accepting state which is reachablefrom the initial state.

Given languages and accepted by -automataand , it is readily

seen that there exist-automata accepting the languagesand . The proof is by exhibiting the required-au-

tomata by theproduct construction: the automaton foris simply

, where and. A similar construction works for .

Given any nondeterministic -automaton, there exists a deterministic automaton

which accepts exactly the same language. The proofproceeds by the subset construction [13], which build a de-terministic -automaton on state-space , which acceptsthe same language. The complement of a language acceptedby a -automaton is also accepted by a-automaton. Thisfollows from the fact that for any -automaton, there existsan equivalent deterministic-automaton; complementation ofdeterministic -automata is trivial.

For a language over accepted by a -au-tomaton , the projection of to consists of allsequences for which there existsa sequence such that the sequence

is a member of .The projected language is also accepted by a-automaton:there is a trivial construction to derive the accepting automatonfrom —replace each transition label in by . Werefer to the resulting automaton as the projection ofto ;note that projection can result in a nondeterministic automaton,even when the original automaton was deterministic.

3) -automata: Informally, an -automaton differs froma -automaton in that it operates on infinite rather than finitesequences. Unlike -automata, -automata come in variousforms. We will concentrate on Büchi automata; details on theother brands of -automata can be gleaned from the surveyarticle of Thomas [31].


Definition 6: A Büchi automaton is a tuple , whereis a finite state automaton, and is the

set ofBüchi states.The -language accepted by the Büchi automaton is the set

of all sequences in such that there is a corresponding runstarting at for which inf , i.e., there are

accepting states which occur infinitely often in.For example, the Büchi language accepted by ,

where is as in Fig. 4, is the set of all sequences in whicha 1 occurs infinitely often at multiples of 3.

Properties of Büchi automata:It is easy to test whether thelanguage accepted by a Büchi-automaton is nonempty—checkfor the existence of an accepting state which lies on a loop andis reachable from the initial state.

Given languages and accepted by Büchi automata,there exists Büchi automata accepting the languagesand ; a similar (albeit marginally more complex) con-struction to that for -automata can be applied.

The complement of a language accepted by a Büchi au-tomaton is also accepted by a Büchi automaton, although theproof of this fact is nontrivial. An early proof [4] proceedsby taking the (possibly nondeterministic) defining Büchiautomaton and creating a deterministic finite state automatonwith a “Muller” acceptance condition [31], which accepts thesame language; the need for a Muller acceptance conditionstems from the fact that deterministic Büchi automata arestrictly less expressive than nondeterministic Büchi automata.Following this, complementation is relatively straightforward.The determinization step, while similar in spirit to the subsetconstruction for -automata [13], is extremely complex. Thebest known procedure [27] starts with a nondeterministic Büchiautomaton on states, and yields a Büchi automaton with

states in the worst case.For an -language over accepted by a Büchi au-

tomaton, projected down to is also accepted by a Büchiautomaton; the construction is the same as for-automata.

B. S1S

S1S is a logical system concerned with “second order” prop-erties of the set of natural numbers with the successor function;the term “second order” refers to the fact that the logic refersto both subsets as well as individual natural numbers. It wasstudied in detail by Büchi in [2]; in particular it was shown tobe decidable. S1S provides an extremely powerful mechanismfor analyzing and manipulating sequential systems—the expres-siveness of logic (conjunction, negation, and quantification) isavailable to define sets of sequences.

Definition 7: S1S formulas are finite sequences over the fol-lowing set:

The lower case variables are first order variablesranging over elements of the natural numbers, and the uppercase variables are second order variables rangingover subsets of the natural numbers.

We are now ready to describe the syntax yielding thetermsand thewell formed formulasof S1S logic. In the interests of

readability, we will abuse notation, e.g., we will refer to the for-mula as .

• Terms: , where is a term.Examples: 0, , .

• Well formed formulas:, where and are terms, and and

are well-formed formulas.Examples: , , ,

, .A variable occursfreely in a formula, if it appears in the for-

mula, and is not quantified [9]. We write toindicate that at most occur freely in .

In the sequel, we will refer to well formed formulas simplyas formulas. We will routinely use the symbols , etc.,as logical abbreviations, and drop the use of parentheses unlessneeded to avoid ambiguity.

We now consider the semantics of S1S. An S1S formula canbe interpreted over the structure consisting of the set of nat-ural numbers, where the successor symbolis interpreted asthe function . In this way, a formula inS1Sdefinesa set of subsets of, i.e., a subset of . The de-fined set contains all such that the formula istrue when is assigned to be . More generally, formulas

define subsets of ; we will denote thisset by . Formal semantics of S1S can befound in [31]; below, we illustrate the interpretation of formulasby means of examples.

Example 1: Nonempty subsets of contain minimal ele-ments

Example 2: The set of subsets ofwhich contain five when-ever they contain three

Example 3: The set containing the set of even integers

Example 4: The binary relation on defined by: every even number in is in

The set of -sequences on is in a natural one-to-onecorrespondence with the set of subsets of; for example thesequence corresponds to the subset . Inthis way, an S1S formula definesan -language over thealphabet .

The following result relates S1S formulas to-automata.Theorem 3.1 (Büchi 1961):An -language on is de-

finable in S1S if and only if it is accepted by some Büchi au-tomaton on alphabet .


Fig. 5. Relating hardware to Büchi automata.

The right-to-left direction of the theorem follows froma straightforward construction of a formula coding up thetransition structure of the automaton.

The left-to-right direction of the theorem is by induction onthe length of the S1S formula. Automata for the atomic formulasare easily derived; an inductive construction is used for ,and . The case of is handled by automaton projection,byautomaton intersection, andby automaton complementation,as discussed in Section III-A2.

1) WS1S:With minor modifications, the formal treatmentof -languages done in S1S can be applied to-languages. Inthis case the resulting logic is referred to as weak S1S (WS1S),the weak referring to the fact that set variables range over finitesubsets of . In a manner analogous to Theorem 3.1, it can beshown that a -language is accepted by a-automaton if andonly if it is definable by a formula in WS1S.

Given the relative ease with which-automata can be com-plemented, it is not surprising that the proof of this fact is mucheasier than that of Büchi’s theorem; in fact it predates Büchi’sresult [7].

C. Netlists, FSMs, Languages, and Compositional Designs

We now make precise the relationship between designs andlanguages accepted by automata.

Recall that in Section II we defined formal models for hard-ware; these consisted of FSMs and netlists. We made the pointthere that given a netlist, we could derive a FSM from it. AnFSM bears a natural correspondence to a-automaton whereprecisely when and . An example of

this correspondence is shown in Fig. 5.Observe the language of this-automaton characterizes the

input–output behavior of ; given any finite input sequence, we can construct the output sequencethat would have

produced on application ofby examining the -automaton. ByTheorem 3.1, it follows that we can also characterize a netlistby a formula of WS1S.

As described in Section II-D, designs are built composition-ally. For designs specified as netlists, composition is specifiedby simply placing the two netlists next to each other and makingthe connections required by the composition. Inputs and outputswhich are not hidden by this composition become the inputs andoutputs of the composed design.

We illustrate the relationship between the WS1S formula forthe -language of the composed design and the WS1S formulasfor the components by considering the netlist composition il-lustrated in Fig. 2. Let and be theWS1S formula defining the-language of and . Then the

Fig. 6. A paradigm for sequential synthesis.

-language of the composed design is defined by the WS1S for-mula given below

D. Applications to Synthesis

Fig. 6 illustrates the approach we will be using. Given de-sign, we will first identify a formula for it; this formula willbe in WS1S or S1S, depending on the context. We will castand solve the problem of characterizing permissible solutionsin logic; essentially this amounts to writing down a system oflogical constraints. This takes the form of a formula which canthen be reflected back to an automaton.

In practice, it is not necessary to actually build any for-mulas—we can mimic the steps taken in the construction of anautomaton from a formula to derive the automaton for the syn-thesized design directly. This corresponds to taking the dottedline in Fig. 6. The advantage of S1S is that it is much easierto come up with the characterizations. Additionally, elegantyet rigorous proofs can be given; furthermore, these proofsare constructive. Furthermore, as we will see in Section V, theapproach generalizes immediately to nondeterministic designs,possibly with fairness constraints.

IV. SYNTHESIZING COMPOSITIONAL DESIGNS

As mentioned in Section I, a critical first step toward synthe-sizing a component in a design is characterizing the set of allvalid implementations for that component. There is an obvious“operational” characterization: given a candidate implementa-tion, plug it in, and test if there is no change in the input-outputbehavior observed from the external world, i.e., if the languageof the composed design remains unchanged. Since equivalenceof automata is decidable, this check is effective.


Fig. 7. A feedforward network.

This characterization is correct, since if the condition holds,there is no way the change can be determined by looking at theexternal inputs and outputs. Conversely, if there were some inputon which the composed design had an output differing from thatin the original design, there is a surrounding environment whichcould observe the change and as a result function incorrectly.Following the parlance of Singhal [30], we will refer to im-plementations satisfying this condition as being “safe replace-ments” for the component.

However, this characterization is not well suited for synthesis;we want a finite structure, on which some kind of algorithmicsearch for simple solutions can be performed. In this section, wewill show that the flexibility available for sequential synthesiscan be characterized using a-automaton.

This result was previously shown by Watanabe and Brayton[35], who referred to this automaton as theE-machine, the “E”standing for environment. Their approach was based on exam-ining the design on a state-by-state basis; we derive this resultusing S1S. We also derive an approximation to the set of validimplementations on which it is easier to perform optimization,and adapt the E-machine construction to a number of intercon-nect schemes.

We can gain some intuition as to the source of the flexibilityavailable for optimization by considering a componentin thedesign. Observe that nature of the surrounding components maymake it impossible for certain sequences to be input to. Sim-ilarly, there may be input sequences for which the output from

does not affect the external outputs. Knowledge of these factsmay make it possible to simplify , while preserving the overallinput-to-output behavior.

A. Feedforward Designs

In order to illustrate the principles and arguments we will beusing, we start with the simple case of computing the set ofpermissible behaviors for feedforward networks. A feedforwardnetwork corresponds to a composition of a set of componentnetlists in such a way that there is no path in the composed netlistfrom an output of a component netlist to one of its inputs whichpasses only through vertices from other netlists. An example ofsuch a netlist is given in Fig. 7.

In a feedforward network, it is possible to compose the envi-ronment around to form a single netlist , and have con-nected to as shown on the right of Fig. 7. The external inputsand outputs of this design areand . Here, is an output ofand an input to ; similarly, is an output from and an input

to . Note that the variables, , , and may correspond tovectors of inputs.

Let the -language of be defined by the WS1S formula, and the -language of be defined by the

WS1S formula . Then the -language of the composeddesign is defined by the formula

; denote this formula by .We now characterize all possible netlists those which can

safely replace without changing the input-to-output behaviorof the overall design.

Theorem 4.1:Let be a netlist. Then is a safe replace-ment for if and only if the language defined by isincluded in the language defined by the formula

Proof: Suppose . Let bean arbitrary finite sequence of inputs applied to the compositionof and .

Since the composed design is a feedforward network,ispurely a function of and the design . Let be the resultat of applying at . The output seen atis purely a functionof the input at and the design ; let be the output atcorresponding to . This fixes the output seen atto some ,since is a function of the sequencesand and the design .

Observe that ; further-more, , which in turn is contained in

. Hence, , i.e., the outputof the composition of with on input is the same as theoutput of the composition of with on input . But waschosen arbitrarily, and so is a safe replacement for.

Conversely, suppose . Take; thus, is an

element of the complement of , i.e., isan element of .Hence, there exists an ordered pair such that

and .Since the composed design is a feedforward network,is

purely a function of and . Thus, on application of to thecomposition of and , the sequence seen atwill again be .Since is purely a function of and the design , applying to

will produce at the output. This in turn uniquely determinesthe output seen at to be .

However, ; thus, was not the outputof composed with when was the input. Hence, is nota safe replacement for.


Fig. 8. A feedback network.

Thus, the formula completely characterizes theset of implementations that can replace the component. Wewill see in Section IV-C how to construct a-automaton thataccepts ; this is a finite representation which issuitable for constructing an optimal implementation.

B. Feedback Designs

We now consider the case of a general compositional design,as illustrated in Fig. 8. Given a componentwe can coalesce itsenvironment into a single netlist in the topology shown on theright of Fig. 8. The external input is and the external output is; is an output of and an input to ; similarly, is an output

from and an input to . Again, we want to characterize allnetlists which can replace the component without changing theinput-to-output behavior of the overall design.

Case 1— is Moore: In the presence of feedback, there ex-ists the possibility of a combinational cycle resulting on com-position. In order to avoid this possibility, we will first considerthe case where is a Moore netlist. (Actually, we only needthere to be no combinational path fromto .)

Let the -language of be defined by the for-mula , and the -language of be de-fined by the formula . Then the -languageof the composed design is defined by the formula

; denote thisformula by .

We now characterize all netlists which are safe replacementsfor .

Theorem 4.2:Let be a netlist. Then is a safe replace-ment for if and only if the language defined by iscontained in the language defined by the formula

(1)

Proof: Suppose . Let bean arbitrary finite sequence of inputs applied to the compositionof with . Note that the nets, , and are functions ofin the netlist consisting of composed with . Let , andbe the result at , and respectively on applying at ;

Observe that is an element of ;furthermore, . By hypothesisis included in . Hence, , i.e.,the output of the composition of with on input is the sameas the output of the composition of with on input . Butwas chosen arbitrarily, and sois a safe replacement for.

Conversely, suppose .Let be an element of which is not in

; thus,. Hence, there exists an ordered pair such

that and .

It now suffices to show that applying to the compositionof and will result in as an output. Let and be theoutputs produced at and on applying . We now prove that

and are equal to and , respectively. We do this by usingthe fact that the output of a Moore netlist at stepis uniquelydetermined by its inputs at steps to inductivelyshow that for all we have and .

The base case is direct—the initial output of at isuniquely determined by the initial state since is a Moorenetlist, so . The initial output of is purely a func-tion of the initial state and the input at, and so .

Now for the induction step, consider ; it isuniquely determined by the values ofand . But by the induction hypothesis,

for all . This determines . Sinceis a function of , it follows that

. Hence, the induction step goes through.The output at is uniquely determined by and ; since

, it follows that . But ; thus,is not a safe replacement for.

Case 2—General : Now we consider the case when isnot a Moore netlist. Observe that if we pick awhich is Moore,then its composition with will still be guaranteed to have nocombinational cycles. In order to characterize the Moore netlistswhich can replace , we need the concept of a Moore language.

Definition 8: Let be a -language.The language is a Moore language if whenever we have

, then for any, we have .

Intuitively, a Moore language is a language with the prop-erty that for any string in the language, the second componentof the last symbol in is independent of the first component.The -language corresponding to the input–output behavior ofa Moore netlist is a Moore language, since the output at timedoes not depend on the input at time.

The following proposition is a consequence of the fact thatthe set of Moore languages is closed under union.

Proposition 4.3: Given an arbitrary -language definedover , there exists a unique maximal Moore language

contained in it.

We will refer to as theMoore restrictionof .We are now ready to characterize the set of Moore netlists

which can safely replace; unlike the previous case, this argu-ment does not require that be Moore.


Fig. 9. Computing the Moore restriction for a language accepted by a�-automaton.

Theorem 4.4:Let be a Moore netlist. Then is a safe re-placement for if and only if the language defined byis contained in the Moore restriction of the language defined bythe formula

Proof: The first stage of the proof, namely demonstratingthat can be safely substituted for when its language is in-cluded in the Moore restriction of is identical tothat for Theorem 4.2.

Now suppose is not contained in the Moore re-striction of . Observe that is a Moorelanguage (by hypothesis is a Moore netlist); by Proposition4.3, this implies that it is not contained in . Therest of the proof can be completed as in Theorem 4.2.

Let be a -automaton on alphabet , accepting thelanguage . Using the subset construction, one can constructfrom a deterministic -automaton accepting . Given ,it is straightforward to construct a deterministic automatonfor the Moore restriction of : recursively remove from edges

whenever for some applying to leads toa nonaccepting state. An algorithm which returns exactly theset of states in the DFA is given in Fig. 9.

C. Constructing an Automaton Accepting

In Section IV-B, we saw the set of replacements for acomponent in a compositional design is characterizedby a formula of the form

. This formula can be rewritten as follows:. This

formula suggests the following four-step construc-tion for constructing an automaton accepting

.

Step 1) Complement the automaton acceptingto obtain an automaton which

accepts .Step 2) Form an automaton for the intersection of

and .Step 3) Project out the inputs and from

to obtain an automaton accepting.

Step 4) Complement to obtain an automaton for.

We illustrate the construction for by means of an ex-ample. Consider the design specified in Fig. 10. In order to op-

Fig. 10. Design to be optimized.

timize the component (shown with a dotted outline), we firstcharacterize all safe replacements for. The construction foreach step is shown in Fig. 11; by inspection, we can see thatcan be replaced by an inverter.

1) Complexity issues:It is straightforward to build a -au-tomata corresponding to , , and (cf. Section III-C). Sincethe automaton for is deterministic, an automaton for its com-plement, constructed in Step 1, is trivially obtained; it has

states. The product automaton in Step 2 has a state-spacewhose cardinality is the size of the product of the state-spacesof the automata for , and . The projection of the signalsand in Step 3 is also easy to achieve.

The complexity comes in the complementation performed inStep 4. Even though the product automaton resulting in Step 2is deterministic, the projection of Step 3 makes it nondetermin-istic. The complementation in Step 4 is performed by first deter-minizing the nondeterministic automaton, which, in the worstcase, can lead to an automaton onstates.

By virtue of Theorems 4.1, 4.2, and 4.4, the automatoncapturing the entire set of replacements for a component

interacting with an environment accepts exactlythe language defined by an S1S formula of the form

. It follows thatif we want to capture all the flexibility available for optimizing

by an automaton, then the automaton is obliged to accept, and it may be

very large.We complemented the automaton by first determinizing

it. It may be the case that the final automaton, , aftermerging equivalent states, is much smaller than the determiniza-tion of , i.e., generating the complement by determinizing asa first step leads to an intermediate blow-up. However, comple-menting a nondeterministic finite automaton is inherently com-putationally expensive. This is due to the fact that the problem ofdeciding if a nondeterministic finite automaton is universal,i.e., accepts all sequences, is PSPACE-complete [11]. Once anautomaton (deterministic or nondeterministic) accepting thecomplement of is constructed, checking the emptiness ofis trivial; hence, performing complementation is as difficult aschecking universality.

Watanabe and Brayton [35] have successfully constructedthe automaton accepting on some ex-amples. However, the designs they used were synthetic—theyconsisted of randomly composed MCNC benchmarks. Fur-


Fig. 11. Constructing the E-machine—circled states are accepting.

thermore, they were small—the component to be synthesizedcontained at most 18 states, and the entire design containedat most 336 states. Their results suggest that the final sizeof is much smaller than the upper bound we derivedabove. The run times they report vary by orders of magnitude,and can be very large. In view of the fact that their experimentswere performed on small and synthetic examples, a definitivestatement about the average case time and space complexity ofconstructing cannot be made at this time.

One reason for the high complexity of constructing theis the fact that we chose language containment as our

criterion for conformance %(cf. the remarks in Section I).Testing language containment for nondeterministic finite stateautomata is PSPACE complete; we could have used a stronger

notion for conformance, e.g.,simulation [32] which can betested in polynomial time. If we did so, the development of theE-machine would be quite different. Such an approach couldreduce complexity, at the cost of completeness.

D. Optimization from Automata Specifications

Once a -automaton characterizing the set of safe replace-ments possible for a component is available, the next step isto find an optimal replacement. There are many criteria foroptimality such as area, timing, power consumption, etc. Onestarting point is determining a replacement whose underlyingFSM is minimum state.

Not surprisingly, this is closely related to the problem of min-imizing anincompletely specified finite state machine(ICFSM)


[12]. However, there is a subtle distinction: for an incompletelyspecified FSM, at a given state, for a specific input, either thenext-state and output is fixed, or any output and next-state is al-lowed. In the context of the E-machine, at a given state, for aspecific input, a subset of all possible outputs and next-statesmay be allowed; this is referred to aspseudo-nondeterminism[35]. Watanabe and Brayton [35] explain why the problem offinding a minimum state FSM compatible with a specificationgiven as a pseudo-nondeterministic automaton is more difficultthan when the specification is given as an ICFSM.

E. An Approximation to the Full Set of Safe Replacements

We now again consider optimization of a compositional de-sign with feedback as in Fig. 8. It is of some interest to study aparticular subset of the set of safe replacements for, namelythat corresponding to theinput don’t care set. This will help usbetter understand previous work; furthermore, we will see thatthis subset in certain respects is better suited for optimization.

Input don’t care sequences for are those sequences atwhich can never be generated in the composition ofand ;intuitively, we are free to change the behavior ofon such se-quences, leading to flexibility which can be exploited by opti-mization tools.

We assume is a Moore netlist. As before, let the-lan-guage of be defined by the formula , and the-language of be defined by the formula .Definition 9: Theinput don’t care set for is the set defined

by the formula

This formula defines precisely the set of finite sequences whichcan never arise at when is composed with ; as a con-sequence, any component which seeks to replaceis free toproduce any output for inputs which lie in the set defined by

.More formally, we have the following theorem:Theorem 4.5:Let be a netlist. Then can be safely sub-

stituted for if the language defined by is containedin the -language defined by the formula

(2)

Proof: Let be some sequence of inputs to the composi-tion of and . Note that , , and are uniquely determinedby ; call the resulting sequences, , and . It suffices to showthat applying to the composition of and also results in

, , and .Let the result of applying to the composition of and

be , and . The construction used in Theorem 4.2 to showthat , , and can be applied in this case also,and the result follows immediately.

A closer analysis of the formula demonstratesthat the corresponding automaton has, in the worst case,

states; contrast this with the automaton forwhich, as shown in Section IV-C, has

states in the worst case.Furthermore, the automaton accepting corre-

sponds to an incompletely specified FSM, rather than a pseudo-

Fig. 12. A variety of FSM interconnection schemes—the names suggestapplications.

nondeterministic automaton as is the case for the automaton ac-cepting . This follows from the fact that the au-tomaton accepting is completely specified and de-terministic, and for , any sequence will do.Thus, for any sequence, either it is in , and thenany sequence of outputs is allowed (implying that the next-stateand output of the FSM is not specified), oris uniquely deter-mined. Hence, the set can be characterized by anICFSM, which, as Watanabe and Brayton [35] show, is easierto perform optimization on than a pseudo-nondeterministic au-tomaton.

Wang and Brayton [33] report results on computing anautomaton accepting . On comparing theirresults with those in [35], we see that an automaton accepting

can be constructed far more efficiently than anautomaton accepting ; this is in concordancewith the reasoning above. Again, their examples are smalland synthetic, so no definitive claims can be made about thepractical applicability of their approach.

F. General Topologies

One of the benefits of the S1S approach is its generality. Forexample, in the past different topologies (schemes for intercon-necting networks) have been studied separately. Using the styleof reasoning given previously, one can easily characterize safereplacements for components for the topologies in Fig. 12. In allcases, the techniques described in Section IV-B2 to avoid com-binational cycles must be used.

Cascade—I(a).

Cascade—I(b).

Cascade—II.

Supervisory Control.Bidirectional Cascade—(a)

.Bidirectional Cascade (b)

.Rectification—I

.Rectification—II

.It is worth noting that when there is no “hiding” of signals,

i.e., all inputs and outputs of the components are visible in thecomposed design, the size of the corresponding automaton is


polynomial in the number of states in the component FSMs. Thisis because we begin with deterministic components, and, sinceno signals are hidden, there are no projected variables in theformula for the automaton (cf. Section III-A1—projection canmake a deterministic automaton nondeterministic). This is thecase for the Supervisory Control and Rectification-II examples.

V. SYNTHESIZING PROPERTIES

Up to this point we have addressed the problem of optimizingcomponents of larger designs. We now examine the problemof selecting a component so that the larger design meets user-specified properties.

The scenario is as follows: Let be a design on primaryinput , auxiliary input , primary output and auxiliary output, exactly as in Fig. 8, and letbe some specification on accept-

able primary input–output for . It is natural to ask: does thereexist a design which when composed with results in theprimary input–output behavior conforming to?

In order to answer this question, we need to formalize thenotions of specification and conformance. Let andbe the sets of values thatand can take. A natural way ofspecifying acceptable input–output behaviors onand isby specifying a Büchi automaton accepting an-language

, i.e., for an infinite input sequence, exactly those should be produced for which

. Similarly, itis natural to say that the composition of the composed designconforms to if its language is included in .

It is preferable to specify the input–output behavior using-sequences rather than finite sequences (as we used in opti-

mization). This is because the use of Büchi automata allows thespecification of fairness. This is because whenever we want tospecify a liveness property, it is invariably necessary to includea fairness constraint in the description of the system (in thiscase). Use of a fairness constraint makes it possible to ignorebehaviors that correspond to extreme execution scenarios whichwould not occur in any reasonable system.

Let the -language of and be defined by the S1S for-mulas and . Let us re-examine the ex-pression characterizing the set of safe replacements for a com-ponent interacting with design

where .We argued that any netlist whose language was included in

would be a safe replacement for, i.e., compo-sition of with would result a netlist whose language wascontained in .

Now suppose was some arbitrary specification onthe input-output behavior of , as discussed above. Exactly thesame arguments as were used in proving Theorem 4.2 can beapplied to prove the following:

Theorem 5.1:The composition of netlist with netlistconforms to the Büchi specification if and only if thelanguage of is included in the language defined by the formula

Fig. 13. Infinite tree for realizability.

Again, the caveats about introducing combinational cycles mustbe taken.

1) Realizability: Computing the Büchi automaton for theformula does not directly answer the existencequestion we posed at the beginning of this section. Our questionis closely linked to the problem ofrealizability. Given an -lan-guage accepted by a Büchi automata, itis natural to ask if there exists a netlist whose correspondinglanguage is contained in.

Note that this can be trivially answered in the affirmativewhen dealing with the optimization problem, since it would suf-fice to use the original component. However, when the spec-ification is given by an arbitrary Büchi automaton, it may bethe case that there is no netlist whose language is contained inthe specification. A necessary condition for the existence of anetlist is that for any , there exists a suchthat . However,this condition is not sufficient, because it does not guaranteecausality: the netlist realizing must produce based onlyon the values .

Pnueli and Rosner [23] argue that a necessary and sufficientcondition for a language to be realizable bya netlist is that –branching infinite tree must exist, whoseedges are labeled with pairs such that:

1) at each vertex, for every , there is asuch that labels some edge coming out of;

2) for every infinite path from the root of the tree, the se-quence of pairs is an element of .

An example of such a tree, where and, is shown in Fig. 13.

Given accepted by a nondeterministicchi automaton over the alphabet , the following is

a procedure for determining if a netlistexists whose languageis contained in .

1) Use the construction of [27] to determinize the automatonto obtain a deterministic Streett automaton.

2) In this Streett automaton, project the symbols of the al-phabet down to . Interpret the new structureas a Streett automaton ontreesand check for tree empti-ness [24].

As is shown in [23], an implementable controller (a netlist in ourcontext) exists if and only if the tree emptiness check is negative;this approach will produce an implementation if one exists.

The complexity of this procedure is very high—the construc-tion of the deterministic Streett automaton potentially yields an


automaton whose state-space is exponential in, and doublyexponential in . Furthermore, the tree-emptiness check isNP-complete; the algorithm of [23] has complexity polynomialin the number of states and exponential in the number ofaccepting pairs of the Streett automaton.

VI. SUMMARY

We have proposed the logic S1S as a formalism to describepermissible behaviors of an FSM interacting with other FSMs.We believe that this framework offers several advantages.

First, for any S1S formula it is possible to generate automat-ically an automaton describing the same behaviors as the for-mula. Thus, fully automatic synthesis is possible that takes intoaccount all available degrees of freedom. In practice, the gener-ated automaton is often too large to handle with state-of-the-artoptimization algorithms. Nevertheless, S1S provides a rigorousframework in which one can prove that a set of behaviors used asa don’t-care condition indeed represents permissible behaviorsof the system. This allows easy development of a spectrum ofmethods that explore trade-offs between flexibility provided bythe information about the environment, and the price of storingand using this information—on one side of the spectrum is theoptimization of a component in isolation, and on the other sideis the construction of the E-machine. A concrete example of thistrade-off was presented in Section IV-D, where we saw that byrestricting our attention to the flexibility afforded by input don’tcare sequences, we arrived at an approximation which was sig-nificantly more tractable. The formalism S1S provides a system-atic and simple way of reducing the problem of optimizing inter-acting FSMs to optimizing a single FSM, with different methodsgenerating FSMs of different sizes. Thus, any future improve-ment in FSM optimization algorithms will provide immediatebenefits to optimization of interacting FSMs.

Second, in contrast to previous approaches, our approach iseasily extended to different interconnection topologies. In thispaper we have derived specifications of permissible behaviorsfor several topologies, some of which have not been previouslyinvestigated. By observing specifications for different topolo-gies we were able to formulate the following general principle:if a component FSM can observe values of all the signals in thesystem, then the size of its E-machine is polynomial; otherwiseit is exponential.

Finally, our approach immediately generalizes to the syn-thesis of properties, such as safety and liveness. In doing so,we have also shed some light on the relationship between inter-pretations of the term “synthesis” in different communities.

Future Work: There are a number of ways in which this workcan be extended. Experiments need to be performed on a mean-ingful set of examples to see how the proposed procedures per-form in the average case. Additionally, studies can be made onthe use of partitioning and peephole optimization techniques (asare used in combinational logic synthesis) to reduce complexitywhen dealing with large designs.

Our approach should be applicable to software synthesis, ap-plications of which include optimizing embedded controllers,and hardware-software co-design. Similarly, the synthesis of

richer systems, such as those which include timing functionalityand statistical behavior, can be studied in our framework.

In a broader context, the ideas brought forward in this paperdemonstrate the power and elegance of employing mathemat-ical logic to solve problems in design automation. We hope thispaper will motivate researchers in EDA to learn more aboutmathematical logic; we recommend the excellent textbook ofEnderton [9] to interested readers.

ACKNOWLEDGMENT

The authors would like to thank V. Singhal for his help withdeveloping the notation used in this paper, and the reviewers fortheir detailed feedback.

REFERENCES

[1] S. S. Bhattacharyya, P. K. Murthy, and E. A. Lee,Software Synthesisfrom Dataflow Graphs. Norwell, MA: Kluwer Academic, 1996.

[2] J. R. Buchi, “On a decision method in restricted second order arith-metic,” in Proc. Int. Congress Logic, Methodology, and Philosophy ofScience, 1960, pp. 1–11.

[3] J. R. Burch, D. L. Dill, E. Wolf, and G. D. Micheli, “Modeling hierar-chical combinational circuits,” inProc. Int. Conf. Computer-Aided De-sign, Nov. 1993, pp. 612–617.

[4] Y. Choueka, “Theories of automata on omega-tapes: A simplified ap-proach,”JCSS, vol. 8, no. 2, pp. 117–141, 1974.

[5] S. Devadas, “Optimizing interacting finite state machines using sequen-tial don’t cares,”IEEE Trans. Computer-Aided Design, pp. 1473–1484,Dec. 1991.

[6] M. DiBenedetto, A. Saldanha, and A. Sangiovanni-Vincentelli, “Modelmatching for finite state machines,” presented at the IEEE Conf. Deci-sion and Control, Dec. 1994.

[7] C. C. Elgot, “Decision problems of finite automation design and relateddecision problems,”Trans. Amer. Math. Soc., vol. 98, pp. 21–52, 1961.

[8] Formal models and semantics (Handbook of Theoretical Computer Sci-ence), vol. B, J. van Leeuwen, Ed., Elsevier Science, Amsterdam, TheNetherlands, 1990, pp. 996–1072.

[9] H. Enderton,A Mathematical Introduction to Logic. New York: Aca-demic, 1972.

[10] J. Fron, J. C.-Y. Yang, M. Damiani, and G. De Micheli, “A synthesisframework based on trace and automata theory,” inProc. Int. Symp. Cir-cuits and Systems, May 1994, pp. 291–294.

[11] M. R. Garey and D. S. Johnson,Computers and Intractability. SanFrancisco, CA: Freeman, 1979.

[12] G. D. Hachtel, J.-K. Rho, F. Somenzi, and R. Jacoby, “Exact andheuristic algorithms for the minimization of incompletely specifiedstate machines,” inProc. Eur. Conf. Design Automation, Amsterdam,The Netherlands, Feb. 1991, pp. 184–191.

[13] J. E. Hopcroft and J. D. Ullman,Introduction to Automata Theory, Lan-guages and Computation. Reading, MA: Addison-Wesley, 1979.

[14] O. H. Jensen, J. T. Lang, C. Jeppesen, and K. G. Larsen, “Model con-struction for implicit specifications in modal logic,” inLecture Notes inComputer Science. Berlin, Germany: Springer-Verlag, 1993, vol. 715.

[15] T. Kam, “State minimization of finite state machines using implicit tech-niques,” Ph D dissertation, Electron. Res. Lab., College Eng., Univ. Cal-ifornia, Berkeley, May 1995.

[16] T. Kam, T. Villa, R. Brayton, and A. Sangiovanni-Vincentelli, “A fullyimplicit algorithm for exact state minimization,” inProc. Design Au-tomation Conf., June 1994, pp. 684–690.

[17] J. Kim and M. M. Newborne, “The simplification of sequential machineswith input restrictions,”IRE Trans. Electron. Comput., pp. 1440–1443,Dec. 1972.

[18] R. P. Kurshan,Automata-Theoretic Verification of Coordinating Pro-cesses. Princeton, NJ: Princeton Univ. Press, 1993.

[19] S. Malik, “Analysis of cyclic combinational circuits,”IEEE Trans. Com-puter-Aided Design, vol. 13, pp. 950–956, July 1994.

[20] Z. Manna and J. Waldinger, “Toward automatic program synthesis,”Commun. ACM, vol. 14, no. 3, pp. 151–165, Mar. 1971.

[21] G. De Micheli,Synthesis and Optimization of Digital Circuits. NewYork: McGraw Hill, 1994.

[22] J. Parrow, “Submodule construction and equation solving in CCS,”The-oretical Comput. Sci., vol. 68, 1989.


[23] A. Pnueli and R. Rosner, “On the synthesis of a reactive module,” inProc. ACM Symp. Principles of Programming Languages, 1989, pp.179–190.

[24] M. O. Rabin, Automata on Infinite Objects and Church’sProblem. Providence, RI: Amer. Math. Soc., 1971.

[25] P. Ramadge and W. Wonham, “The control of discrete event systems,”Proc. IEEE, vol. 77, pp. 81–98, 1989.

[26] J.-K. Rho, G. Hachtel, and F. Somenzi, “Don’t care sequences and theoptimization of interacting finite state machines,” inProc. Int. Conf.Computer-Aided Design, Nov. 1991, pp. 418–421.

[27] S. Safra, “Complexity of Automata on Infinite Objects,” Ph.D. disseta-tion, The Weizmann Inst. Sci., Rehovot, Israel, Mar. 1989.

[28] H. Savoj, “Don’t Cares in Multi-Level Network Optimization,” PhDthesis, The University of California at Berkeley, Electronics ResearchLaboratory, College of Engineering, University of California, Berkeley,CA, May 1992.

[29] T. R. Shiple, “Formal Analysis of Synchronous Hardware,” Ph.D. dis-sertation, Electron. Res. Lab., College Eng., Univ. California, Berkeley,CA, 1996.

[30] V. Singhal, “Design Replacements for Sequential Circuits,” Ph.D. dis-sertation, Electron. Res. Lab., College Eng., Univ. California, Berkeley,CA, 1996.

[31] Formal models and semantics (Handbook of Theoretical Computer Sci-ence), vol. B, J. van Leeuwen, Ed., Elsevier Science, Amsterdam, TheNetherlands, 1990, pp. 133–191.

[32] R. J. van Glabbeek, “Comparative Concurrency Semantics and Refine-ment of Actions,” PhD thesis, Centrum voor Wiskunde en Informatica,Vrije Universiteit te Amsterdam, Amsterdam, The Netherlands, May1990.

[33] H.-Y. Wang and R. K. Brayton, “Input don’t care sequences in FSM net-works,” inProc. Int. Conf. Computer-Aided Design, 1993, pp. 321–328.

[34] , “Permissible observability relations in FSM networks,” inProc.Design Automation Conf., June 1994, pp. 677–683.

[35] Y. Watanabe and R. K. Brayton, “The maximum set of permissible be-haviors for FSM networks,” inProc. Int. Conf. Computer-Aided Design,1993, pp. 316–320.

[36] H. Wong-Toi and D. L. Dill, “Synthesizing processes and schedulersfrom temporal specifications,” inProc. 2nd Workshop Computer-AidedVerification, 1990, pp. 272–281.

[37] W. Wonham and P. Ramadge, “On the supremal controllable languageof a given language,”SIAM J. Contr. Optimization, vol. 25, pp. 637–659,1988.

Adnan Aziz received the undergraduate degree fromthe Indian Institute of Technology, Kanpurthe, India.He received the Ph.D. degree in electrical engineeringand computer sciences from The University of Cali-fornia at Berkeley in 1996.

He joined The University of Texas, Austin, inthe Spring of 1996. His research interests lie inalgorithms for design and verification, particularly inthe area of VLSI; he has made contributions to boththe theory and practice of synthesizing and verifyingdigital systems. More specifically, he has written a

number of papers on design verification and sequential synthesis. Additionally,he is one of the architects of the VIS system, a software tool that is widely usedfor formal verification. His current interests include enhancing simulation withsymbolic algorithms, and integration of logic synthesis with physical design.

Felice Balarin (S’90–M’95) received the Ph.D. de-gree in electrical engineering and computer sciencefrom the University of California at Berkeley in 1994.

He has been a Research Scientist with the Ca-dence Berkeley Labs., Berkeley, CA, since 1994. Hisresearch is focused on development and applicationof formal methods to design, verification and timinganalysis of systems consisting of both hardware andsoftware.

Robert K. Brayton (M’75–SM’78–F’81) receivedthe B.S.E.E. degree from Iowa State University,Ames, in 1956 and the Ph.D. degree in mathematicsfrom Massachusetts Institute of Technology, Cam-bridge, in 1961.

From 1961 to 1987 he was a member of the Mathe-matical Sciences Department of the IBM T. J. WatsonResearch Center, Yorktown Heights, NY. In 1987, hejoined the Electrical Engineering and Computer Sci-ence Department at the University of California atBerkeley, where he is the Cadence Distinguished Pro-

fessor of Engineering and the director of the SRC Center of Excellence for De-sign Sciences. He has authored over 400 technical papers, and eight books. Hispast contributions have been in analysis of nonlinear networks, electrical sim-ulation and optimization of circuits, and asynchronous synthesis. His currentresearch involves combinational and sequential logic synthesis for area/perfor-mance/testability, formal design verification and synthesis for DSM designs.

Dr. Brayton held the Edgar L. and Harold H. Buttner Endowed Chair in Elec-trical Engineering at Berkeley. He is a member of the National Academy ofEngineering, and a Fellow the AAAS. He received the 1991 IEEE CAS Tech-nical Achievement Award, the IEEE CAS Golden Jubilee Medal, and five bestpaper awards, including the 1971 IEEE Guilleman-Cauer award, and the 1987ISCAS Darlington award. He was the editor of theJournal on Formal Methodsin Systems Designfrom 1992–1996. He received the CAS Golden Jubilee Medaland the IEEE Millennium Medal in 2000.

Alberto Sangiovanni-Vincentelli (M’74–SM’81–F’83) received the electrical engineering andcomputer science degree (“Dottore in Ingegneria”)summa cum laudefrom the Politecnico di Milano,Milano, Italy in 1971.

He holds the Edgar L. and Harold H. Buttner Chairof Electrical Engineering and Computer Sciences atthe University of California at Berkeley, where hehas been on the Faculty since 1976. In 1980–1981,he spent a year as a Visiting Scientist at the Mathe-matical Sciences Department of the IBM T.J. Watson

Research Center, Yorktown Heights, NY. In 1987, he was Visiting Professorat Massachusetts Institute of Technology, Cambridge. He was a co-founder ofCadence and Synopsys, two leading companies in the area of electronic designautomation. He was a Director of ViewLogic and Pie Design System and Chairof the Technical Advisory Board of Synopsys. He is the Chief Technology Ad-visor of Cadence Design System. He is a member of the Board of Directorsof Cadence, where he is the Chairman of the Nominating Committee, SonicsInc., and Accent, an ST-Cadence joint venture. He is the founder of the Ca-dence Berkeley Laboratories and of the Cadence European laboratories. He isthe Scientific Director of the Project on Advanced Research on Architecturesand Design of Electronic Systems (PARADES), a European Group of EconomicInterest supported by Cadence, Magneti-Marelli and ST Microelectronics. He isan author of over 520 papers and ten books in the area of design methodologies,large-scale systems, embedded controllers, hybrid systems and tools.

In 1981 Dr. Sangiovanni-Vincentelli received the Distinguished TeachingAward of the University of California. He received the worldwide 1995Graduate Teaching Award of the IEEE (a Technical Field award for “inspi-rational teaching of graduate students”). He has received numerous awardsincluding the Guillemin-Cauer Award (1982–1983) and the Darlington Award(1987–1988). He is a Member of the National Academy of Engineering.

Sequential synthesis using S1S

Documents